Acme timeout, no DNS or Firewall error


#1

My domain is: mail.lucakrebs.de

I ran this command: certbot certonly -d mail.lucakrebs.de --rsa-key-size 4096 --must-staple

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1

The following errors were reported by the server:

The server could not connect to the client to verify the domain

Domain: mail.lucakrebs.de
Type: connection
Detail: Fetching http://mail.lucakrebs.de/.well-known/acme-challenge/oqxBnDBSu7lo_iaadelhgnjRDPCeUMLFqfLYt0-qzEo: Timeout

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you’re using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.

My web server is (include version): No Webserver installed, but I tried already with apache2

The operating system my web server runs on is (include version): Debian 9.4

My hosting provider, if applicable, is: Hetzner

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

Hey, I’m not new to certbot, so this is a but confusing to me.
I have 2 vServers, one on the
IPv4 88.99.172.5 (lucakrebs.de) / IPv6 2a01:4f8:c0c:36c::2 (lucakrebs.de)
and one on the
IPv4 94.130.180.171 (mail.lucakrebs.de) / IPv6 2a01:4f8:1c0c:40a6::1 (mail.lucakrebs.de)

On the first one (lucakrebs.de) anything is set up perfectly correct for over an year now. I even scored A+ on ssllabs for over an year now, however, since 2 days, I’m trying to figure out why I get the above error on my second vServer (mail.lucakrebs.de).
I need the certificate for an docker mailcow mailserver.
As you can see here: https://acme-v01.api.letsencrypt.org/acme/authz/oqxBnDBSu7lo_iaadelhgnjRDPCeUMLFqfLYt0-qzEo
Acme gets the DNS records and all this correct, but anyways, it just wont work.
I can access the server perfectly over port 80/tcp and port 443/tcp, so no Firewall error here (Currently got it offline, because of some settings im going to change) but somehow acme gets an timeout.
Anyone got an idea?


#2

Hi @luca-exe,

You could make it pause with --debug-challenges and then use netstat or ss to see if it’s really listening on IPv6. What version of Certbot is this?


#3

Hey schoen,
its certbot version 0.21.1, I already tried it with netstat -ntlp and yes it is listening on tcp/6 :::80


#4

Interesting! Do you have another machine elsewhere with IPv4 and IPv6 connectivity where you could try using curl -4 and curl -6 with the challenge URL (with --debug-challenges)?


#5

Hey schoen,

well, mailcow has an build-in method to build Lets Encrypt certificates and I tried to just use it… It worked. I dont know how, but it did. I cant use OSCP Stapling now but whatever, thank you anyways very much.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.